Are there Insecure Webforms on your Assets? Data Suggests Yes

That’s why this past January, internet browser giants Google and Mozilla attempted to increase the security awareness of their users around the dangers of using insecure forms. Any information submitted over a non-HTTPs secured connection—login credentials, credit card numbers, and other personal information—can easily be intercepted by threat actors.

The latest iterations of both Google Chrome and Mozilla Firefox now feature warnings (shown below) to users who are entering sensitive data on non-secure HTTP connections. For advanced internet users and security professionals, the dangers of using non-encrypted internet connections should be clear. However, your average internet user can be oblivious to these threats:

Fig-1 Mozilla Insecure Form Warning

Diving into customer data gives insight into the kinds of risk assessment decisions our Enterprise Digital Footprint customers are faced with. When analyzing a sample size of 154 workspaces of customers that have at least 3,000 confirmed assets, we found that, on average, each workspace had 9,712 unique URLs that were classified as insecure forms.

It’s not that most security teams are negligent, either—while HTTPS or Hypertext Transfer Protocol Secure has been around for years, it is only now becoming the standard baseline for internet security. HTTPS makes use of SSL/TLS encryption techniques to keep data between a user and a web server private, which involves the server sending an SSL certificate to the user’s browser, which is also known as a “handshake” to authenticate the session.

Fig-2 Example of Google Chrome Insecure Form Warning

The implications of not using HTTPS connections are vast. The loss of personal data, profit, and reputation are all very legitimate concerns when talking about risk assessment.

Consumer Guidance

Consumers can protect themselves online by taking the following steps:

2. Make sure your computer has the latest security patches, and make sure that you conduct your financial transactions only on a secure web page using encryption. You can tell if a page is secure in a couple of ways. Look for a closed padlock in the status bar, and see that the URL starts with “https” instead of just “HTTP.”

3. Some phishers make spoofed websites which appear to have padlocks. To double-check, click on the padlock icon on the status bar to see the security certificate for the site. Following the “Issued to” in the pop-up window you should see the name matching the site you think you’re on. If the name differs, you are probably on a spoofed site.

Know Your Enterprise Digital Footprint, Know Your Insecure Webforms

Unfortunately, most consumers don’t take the above precautions. The action taken by Google and Firefox is encouraging, but often it’s up to businesses to protect their consumers from insecure web forms.

Insecure forms are just one major component that we here at RiskIQ track for our Digital Footprint customers. These customers are not only concerned with what their assets are, but also mitigating vulnerabilities to ensure those assets are secured for their respective users. Once you have an accurate picture of your digital footprint, it is far easier to understand and implement mitigation techniques to ensure that all of your external assets are protected. This inventory of your assets is also critical for compliance with numerous industry regulations.

Once the full inventory of digital assets has been established and confirmed, continuous monitoring of those assets is critical. Digital Footprint provides continuous monitoring and scanning of digital assets for issues such as malware, infrastructure failure (such as insecure webforms), defacement, and compliance.